Examine the details surrounding Azure DevOps Secure Files
In Azure DevOps, Secure Files provide a way to securely store and manage sensitive files (e.g., certificates, keys) required during the execution of your pipelines. These files are encrypted and only accessible by authorized users or pipeline jobs. Here’s how to upload, manage, and use secure files in YAML pipelines.
1. How to Upload Secure Files
To upload a secure file into Azure DevOps, follow these steps:
Steps to Upload Secure Files:
Navigate to the Azure DevOps Project: Go to your Azure DevOps project where you want to upload the secure file.
Go to Project Settings: In the bottom-left corner of the project, click on Project Settings (the gear icon).
Access Secure Files: Under the Pipelines section, click on Secure Files.
Upload Secure Files:
Click on the + Secure file button.
In the dialog box, select the file you want to upload (e.g., a
.pfxcertificate,.pemSSH key, or any sensitive document).Once selected, click Upload to upload the file securely.
The file will be stored encrypted in Azure DevOps and can now be used in your pipelines.
2. How to Manage Secure Files
Managing Permissions for Secure Files:
To ensure that only authorized users or pipelines can access secure files, you can manage permissions:
Go to the Secure Files Section: Navigate to Project Settings → Pipelines → Secure Files.
Select a Secure File: Select the secure file you want to manage.
Manage Permissions:
Click on the ellipsis (three dots) next to the secure file and choose Manage permissions.
Set permissions for users or groups (e.g., who can download or manage the file).
By default, only Project Administrators can access Secure Files, but you can grant access to specific users, service accounts, or build/release pipelines.
Audit Access to Secure Files:
Azure DevOps keeps track of who accessed or modified secure files through the Audit Logs:
Go to Project Settings → Security → Audit Logs.
Filter by Secure Files to view logs of access and modifications related to your secure files.
3. How to Use Secure Files in YAML Pipelines
Once you have uploaded the secure files, you can reference them within your YAML pipelines.
Using Secure Files in YAML Pipelines:
To use secure files in your pipeline, you will use the DownloadSecureFile task. This task will securely download the file and make it available for use in subsequent steps.
Basic YAML Example:
xxxxxxxxxx161trigger2main3pool4 vmImage'ubuntu-latest'5jobs6jobUseSecureFiles7 steps8taskDownloadSecureFile@19 namedownloadCert10 inputs11 secureFile'my-certificate.pfx' # Name of the secure file you uploaded12script13 echo "Certificate downloaded successfully"14 # Use the downloaded file in subsequent tasks15 # Example: Import certificate, use in deployment, etc.16 displayName: 'Use Secure File in Deployment'In this example:
DownloadSecureFile@1: The task used to download the secure file (in this case,my-certificate.pfx) from the secure files storage.secureFile: The name of the file you uploaded in Azure DevOps (ensure it matches the file name exactly).
Accessing the File After Download:
By default, the secure file will be downloaded into a directory under the
$(Agent.TempDirectory)variable, which you can access later in the pipeline.For example, if you want to use the downloaded file in a script step (e.g., to import a certificate), you would reference the path like this:
xxxxxxxxxx21$CERT_PATH = "$(Agent.TempDirectory)/my-certificate.pfx"2echo "Certificate is located at $CERT_PATH"This makes it easy to use the file in subsequent deployment steps, such as adding it to a certificate store, or using it for signing or authentication.
4. Clean-up: Delete Secure Files After Use
Azure DevOps does not automatically delete secure files after a pipeline run, so if you want to ensure the file is cleaned up, you can either delete it manually after use or configure pipeline steps to delete files as needed.
Steps to Delete Secure Files Manually:
Go to Project Settings → Pipelines → Secure Files.
Select the file you wish to delete and click the Delete button.
Alternatively, if you need to delete the secure file programmatically within the pipeline after use, you can add a script step to delete it from the system, though this is typically unnecessary since the file is only downloaded temporarily for the duration of the pipeline run.
xxxxxxxxxx41script2 echo "Deleting downloaded certificate file"3 rm -f "$(Agent.TempDirectory)/my-certificate.pfx"4 displayName: 'Delete Secure File'5. Best Practices for Using Secure Files in Azure DevOps
Limit Access: Only allow access to secure files by users, groups, or pipelines that require it. This minimizes the risk of unauthorized access.
Use Secure Storage for Sensitive Files: Secure files should be used exclusively for sensitive data that cannot be stored in plain text or version control (e.g., certificates, private keys).
Avoid Storing in Repositories: Never commit sensitive files like
.pfxcertificates,.pemkeys, or passwords to source control repositories. Use Azure DevOps Secure Files instead.Audit Logs: Regularly check audit logs to monitor who accessed secure files and when. This helps ensure compliance with security policies.
Temporary Use: Secure files are only needed during pipeline execution. Ensure they are downloaded only when required and are not lingering in the pipeline environment longer than necessary.
Encryption: Azure DevOps automatically encrypts secure files in storage, so always ensure you're using the built-in functionality for managing certificates or keys rather than manual encryption/decryption procedures.
Summary
By using Secure Files in Azure DevOps, you can securely manage sensitive files (such as certificates, SSH keys, and service account credentials) and integrate them into your YAML pipelines. The DownloadSecureFile task makes it easy to use these files securely during the build, release, and deployment processes.
Following best practices around file permissions, access control, and clean-up will help keep your sensitive information secure and your pipelines efficient.
Leave a Reply